Mobile Providers Tackle Security Concerns

Some mobile banking security fears are based on the unknown.

“No conversation with a credit union client takes place these days without a mention of mobile. It’s no longer any sort of novelty—it’s integral to any security discussion,” says Brian Abele, vice president of product management at Q2ebanking. “Emerging technology always brings unknowns, so people’s concerns are basically worries about the unknown.”

But Abele agrees with his industry peers that the level of threats to the security of mobile devices isn’t as great as many credit unions fear.

“Threats that credit unions raise with us more than in any other area is someone else getting a mobile device and using it—getting the user name and password,” says Tom Campbell, vice president of sales at PM Systems. “Since phones are carried everywhere, it’s easier to lose them or have them stolen, certainly compared to a PC in somebody’s house. Also, there’s a concern that easy-to-use bill pay or person-to-person funds transfer apps could be used by a fraudster.”

But, Campbell asks, can those fears be realized?

“Theoretically, yes; but practically speaking, probably not,” he says. “First, it’s hard to steal money via a mobile device because it leaves a paper trail. And the person who finds or steals a mobile device isn’t likely to know anything about its owner, which makes it difficult to use the device for fraudulent purposes.”

The threat to mobile devices can be marginally less than the threats to a regular website, Campbell says. That’s true for two reasons:

Credit union mobile sites can drop a cookie on the phone that helps them identify its user; and

Mobile devices have certain identifying characteristics that indicate characteristics about the user.

“For example, when a phone ‘talks’ to our server, there’s a header that shows its operating system and the browser version its owner uses,” Campbell explains. “So if they normally come in on an iPhone but now are coming in on an Android device, that alerts us that there could be fraudulent activity going on.”

“We see the biggest threats on this channel as the presumption of fraud and the lack of education about what to expect with this channel,” says Jeremiah Lotz, manager of e-commerce solutions at PSCU Financial Services. “It’s a lot like when online banking was introduced: People had great concerns about security and didn’t quite know their way around the topic.”

One area security providers are watching is apps.

“In security bulletins and publications, mobile banking hasn’t emerged as a threat vector yet. But, as everybody is creating apps and websites, it will become an issue,” says Ward Howell, director of security solutions consulting at Q2ebanking.

“A recent survey revealed that 25% of smart phones now have IDs and passwords cached on them,” he continues. “But at this point, there’s not a lot of talk about mobile banking security.”

Lotz says fake mobile apps do exist, but there aren’t many of them.

“Credit unions can teach members what to expect if an app identifies itself as coming from the credit union—certain pieces of information that should be provided if the app is legitimate,” he explains. “But for now, they’re not a real big threat—certainly not as much as on other channels.”

The one form of fraud that will always be the most difficult to deal with, Campbell says, is family fraud.

“It’s the hardest of all types of fraud to protect against,” he says. “When one family member knows so much about another it becomes easy to take over that person’s mobile device and use it for fraudulent purposes.”

The NCUA’s final field-of-membership rule was published Wednesday, making it effective Feb. 6. The rule, finalized by the NCUA board in October, facilitates consumer access to credit unions and provides credit unions with more flexibility.